b'Audit Report\n\n\n\n\nOIG-09-017\nManagement Letter for Fiscal Year 2008\nAudit of the Financial Management Service\xe2\x80\x99s\nSchedule of Non-Entity Government-wide Cash\n\nDecember 18, 2008\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\nThis report has been reviewed for public dissemination by the Office of Counsel\nto the Inspector General. Information requiring protection from public\ndissemination has been redacted from this report in accordance with the\nFreedom of Information Act, 5 U.S.C. Section 552.\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GE NER AL\n                                             December 18, 2008\n\n\n             MEMORANDUM FOR JUDITH R. TILLMAN, COMMISSIONER\n                            FINANCIAL MANAGEMENT SERVICE\n\n             FROM:                 Michael Fitzgerald /s/\n                                   Director, Financial Audits\n\n             SUBJECT:              Management Letter for Fiscal Year 2008\n                                   Audit of the Financial Management Service\xe2\x80\x99s\n                                   Schedule of Non-Entity Government-wide Cash\n\n\n             I am pleased to transmit the attached management letter in connection with the\n             audit of the Financial Management Service\xe2\x80\x99s (FMS) Fiscal Year (FY) 2008 Schedule\n             of Non-Entity Government-wide Cash. Under a contract monitored by the Office of\n             Inspector General, KPMG LLP, an independent certified public accounting firm,\n             performed an audit of FMS\xe2\x80\x99s Schedule of Non-Entity Government-wide Cash for\n             FY 2008. The contract required that the audit be performed in accordance with\n             generally accepted government auditing standards; applicable provisions of Office\n             of Management and Budget Bulletin No. 07-04, Audit Requirements for Federal\n             Financial Statements; and the GAO/PCIE Financial Audit Manual.\n\n             As part of its audit, KPMG LLP issued and is responsible for the accompanying\n             management letter that discusses certain matters involving internal control and\n             other operational matters that were identified during the audit but were not\n             required to be included in the auditors\xe2\x80\x99 reports.\n\n             This letter contains sensitive information about FMS\xe2\x80\x99s information technology\n             policies and practices, such as thresholds and tolerances, which requires protection\n             from public dissemination. This information was redacted in our report for public\n             dissemination in accordance with Exemption 2 of the Freedom of Information Act,\n             5 USC \xc2\xa7 552(b)(2). Recipients of this letter should not show or release its contents\n             for purposes other than official review to prevent publication or other improper\n             disclosure of the information it contains.\n\n             In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n             documentation and inquired of its representatives. Our review disclosed no\n             instances where KPMG LLP did not comply, in all material respects, with generally\n             accepted government auditing standards.\n\x0cPage 2\n\nShould you have any questions, please contact me at (202) 927-5789, or a\nmember of your staff may contact Mark S. Levitt, Manager, Financial Audits at\n(202) 927-5076.\n\nAttachment\n\ncc:   Kenneth E. Carfine\n      Fiscal Assistant Secretary\n\x0cU.S. DEPARTMENT OF THE TREASURY\nFINANCIAL MANAGEMENT SERVICE\n         FISCAL YEAR 2008\n   Non-Entity Government-wide Cash\n\n         Management Letter (REDACTED VERSION)\n\n         November 17, 2008\n\x0c                             U.S. DEPARTMENT OF THE TREASURY\n                                  Non-Entity Government-wide Cash\n                                           Fiscal Year 2008\n                                          Management Letter\n\n\n\n                                          Table of Contents\n\n                                                                                    Page\n\nTransmittal Letter                                                                     1\n\nExhibit I \xe2\x80\x93 Current Year Comments and Recommendations:\n       1. Lack of Timely Monitoring of STAR Account 20A1840, Agency Location\n              Code (ALC) 20180011, Deposits in Suspense                                2\n      2. Portions of Cash Accounts Excluded from the Schedule of Non-Entity\n              Government-Wide Cash: Held by Bangkok, CSSGL #20A1225, and\n              Charleston, CSSGL 20A1226 USDOs                                          2\n       3. GOALS II/CITRIX Password History Configuration Not in Compliance\n             with Established Policy                                                   3\n       4. User System Access Is Not Being Removed in a Timely Manner upon\n              Separation of Employment from FMS (Repeat Condition)                     4\n       5. Interconnection Security Agreements (ISA) Were Not in Place for Several\n               CA$HLINK II System Interconnections (Repeat Condition)                  5\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\n\nNovember 17, 2008\n\nInspector General, U.S. Department of the Treasury and\nCommissioner of the Financial Management Service:\n\n\nWe have audited the Schedule of Non-Entity Government-wide Cash (GWC) of the U.S. Department of\nthe Treasury\xe2\x80\x99s Financial Management Service (FMS) as of September 30, 2008 (hereinafter referred to as\nthe \xe2\x80\x9cSchedule\xe2\x80\x9d) and have issued our report thereon dated November 17, 2008. The Schedule as of\nSeptember 30, 2007 was audited by other auditors whose report thereon dated November 8, 2007,\nexpressed an unqualified opinion on that Schedule. In planning and performing our audit of FMS\xe2\x80\x99s\nSchedule, in accordance with auditing standards generally accepted in the United States of America, we\nconsidered internal control over financial reporting (internal control) as a basis for designing our auditing\nprocedures for the purpose of expressing our opinion on the Schedule and not for the purpose of expressing\nan opinion on the effectiveness of FMS\xe2\x80\x99s internal control relating to GWC. Accordingly, we do not express\nan opinion on the effectiveness of FMS\xe2\x80\x99s internal control relating to GWC. We have not considered\ninternal control since the date of our report.\n\n\nDuring our audit we noted certain matters involving internal control and other operational matters that we\npresent for your consideration. These comments and recommendations, all of which have been discussed\nwith the appropriate members of management, are intended to improve internal control or result in other\noperating efficiencies and are summarized in Exhibit I.\n\nOur audit procedures are designed primarily to enable us to form an opinion on the Schedule described\nabove, and therefore may not bring to light all deficiencies in policies, procedures, or internal control that\nmay exist. We aim, however, to use our knowledge of FMS relating to GWC gained during our work to\nmake comments and suggestions that we hope will be useful to you. We would be pleased to discuss these\ncomments and recommendations with you at any time.\n\nFMS\xe2\x80\x99s responses to our comments and recommendations have not been subjected to the auditing\nprocedures applied in the audit of the Schedule and, accordingly, we express no opinion on them.\n\nThis communication is intended solely for the information and use of FMS management, the U.S.\nDepartment of the Treasury\xe2\x80\x99s Office of Inspector General, the Office of Management and Budget, the\nGovernment Accountability Office, and the U.S. Congress, and is not intended to be, and should not be,\nused by anyone other than these specified parties.\n\n\n\n\n                                 KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                 member firm of KPMG International, a Swiss cooperative.\n\x0c                                                                                                  Exhibit I\n\n                                    Financial Management Service\n                                  Non-Entity Government-wide Cash\n\n                           Current Year Comments and Recommendations\n\n                                           September 30, 2008\n\n\n\n1. Lack of Timely Monitoring of STAR Account 20A1840, Agency Location Code (ALC) 20180011,\n   Deposits in Suspense\n\nWe noted that the Cash Analysis Branch within the Cash Accounting Division did not monitor STAR\nAccount 20A1840, ALC 20180011, on a timely basis after a former employee retired. The STAR Suspense\nListing for ALC 20180011 contained 46 items as of July 24, 2008, including 12 items with vouchers dated\nbetween November 20, 2007 and March 31, 2008. The Governmental Accountability Office (GAO)\nStandards for Internal Control in the Federal Government states, \xe2\x80\x9cInternal control should generally be\ndesigned to assure that ongoing monitoring occurs in the course of normal operations. It is performed\ncontinually and is ingrained in the agency\xe2\x80\x99s operations. It includes regular management and supervisory\nactivities, comparisons, reconciliations, and other actions people take in performing their duties.\xe2\x80\x9d In this\nregard, Standard Operating Procedures within FMS provide for monitoring ALC20180011 daily. The lack of\ntimely monitoring over the items that remain in STAR Account 20A1840, ALC 20180011, increases the risk\nthat amounts are not being reported in the Schedule, nor resolved on a timely basis.\n\nRecommendation:\n\nWe recommend that FMS management ensure smooth job transitions for changes in personnel so that the\nmonitoring of suspense accounts is performed in a timely manner.\n\nManagement\xe2\x80\x99s Response: Concur\n\nStandard Operating Procedures have been updated and reviewed with the employee. ALC 20180011 is\nnow being properly monitored on a daily basis. ALC 20180011 is reconciled by obtaining postings to the\nALC from CA$HLINK II and the STAR system. Involved financial institutions are contacted to make\nvoucher corrections to the proper ALC or the financial institutions may provide the correct deposit\nticket/debit voucher to Cash Analysis Branch to make the correction on the financial institution\xe2\x80\x99s behalf.\n\n\n2. Portions of Cash Accounts Excluded from the Schedule of Non-Entity Government-Wide Cash:\n   Held by Bangkok, CSSGL #20A1225, and Charleston, CSSGL 20A1226 USDOs\n\nWe noted that only a portion of the balances of FMS accounts 20A1225 and 20A1226 were included in the\nGWC Schedule. The balances in these accounts totaled approximately $111 million. Of that, approximately\n$79 million is not being reflected in the Schedule of Non-Entity Government-Wide Cash.\n\nIn the past, U.S. dollars balances in accounts 20A1225 and 20A1226 have not been included in the\nSchedule since the Charleston and Bangkok USDOs have not reported the balances in the various bank\naccounts and cashier offices throughout the world that make up these balances.\n\n                                                     2\n\x0c                                                                                                Exhibit I\n\n                                    Financial Management Service\n                                  Non-Entity Government-wide Cash\n\n                           Current Year Comments and Recommendations\n\n                                          September 30, 2008\n\n\nThe Governmental Accountability Office (GAO) Standards for Internal Control in the Federal\nGovernment states, \xe2\x80\x9cAn integral component of an organization\xe2\x80\x99s management provides reasonable\nassurance that the following objectives are being achieved....reliability of financial reporting. Internal\ncontrol should generally be designed to assure that ongoing monitoring occurs in the course of normal\noperations. It is performed continually and is ingrained in the agency\xe2\x80\x99s operations. It includes regular\nmanagement and supervisory activities, comparisons, reconciliations, and other actions people take in\nperforming their duties.\xe2\x80\x9d\n\nBy not including the entire balances of accounts 20A1225 and 20A1226 in the Schedule of Non-Entity\nGovernment-wide Cash at September 30, 2008 caused the Schedule to be understated by approximately\n$79 million.\n\nRecommendation:\n\nWe recommend that FMS management work with USDOs in Charleston and Bangkok to obtain a complete\naccounting of the nature, amounts and locations that make up the balances in 20A1225 and 20A1226 and\ninclude these amounts in the Schedules of Non-Entity Government-wide Cash.\n\nManagement Response: Concur\n\nA corrective action plan has not been finalized at this time. Management expects to complete a corrective\naction plan by March 30, 2009.\n\n\n3. GOALS II/CITRIX Password History Configuration Not in Compliance with Established Policy\n\nAlthough the Government Online Accounting Link II (GOALS II)/Citrix System Security Plan and the\nFMS IT Security Standards Manual require that information systems store a history of the last **\npasswords used, we found the password history setting on GOALS II/Citrix operating system has not been\nconfigured in accordance with FMS Policy. Specifically, the password history on the GOALS II/Citrix\nserver \xe2\x80\x9cSYBASEEP\xe2\x80\x9d has been set to record the last ******* passwords. By allowing a user the ability to\nuse passwords too frequently increases the likelihood of a password becoming compromised.\n\nRecommendation:\n\nWe recommend that FMS set the password history configuration on the GOALS II/Citrix \xe2\x80\x9cSYBASEEP\xe2\x80\x9d\nserver to **.\n [* - information REDACTED - FOIA EXEMPTION 2, 5 U.S.C. \xc2\xa7552(b)(2)]\n\nManagement Response: Concur\n\nThis low risk issue was closed during fieldwork.\n                                                      3\n\x0c                                                                                                 Exhibit I\n\n                                    Financial Management Service\n                                  Non-Entity Government-wide Cash\n\n                           Current Year Comments and Recommendations\n\n                                           September 30, 2008\n\n\n\n4. User System Access Is Not Being Removed in a Timely Manner upon Separation of Employment\n   from FMS (Repeat Condition)\n\nThree (3) out of fifteen (15) FMS employees who separated from FMS in FY 2008 did not have their\nnetwork access removed in accordance with the FMS Human Resources Division Standard Operating\nProcedure EXT-08-01: Employee Exit Clearance or the FMS IT Security Standards Manual.\n\nFMS Human Resources Division Standard Operating Procedure EXT-08-01: Employee Exit Clearance\nstates, \xe2\x80\x9cUpon notification of an employee\xe2\x80\x99s departure through the Employee Exit Clearance System,\nInformation Resources takes necessary steps to remove FMS system access within **************\n************* after the date of the separation/transfer.\xe2\x80\x9d\n\nFMS IT Security Standards Manual S-0200.25, Personnel Security Controls, section Separation from Duty\nstates, \xe2\x80\x9cAll accounts shall be deactivated within ******************* of an individual\xe2\x80\x99s departure on\nfriendly terms and immediately upon an individual\xe2\x80\x99s departure on unfriendly terms.\xe2\x80\x9d\n\nIf an individual\xe2\x80\x99s system access is not removed in a timely manner upon their separation, these individuals\ncontinue to maintain the ability to access and/or modify, add, or delete sensitive data.\n[* - information REDACTED - FOIA EXEMPTION 2, 5 U.S.C. \xc2\xa7552(b)(2)]\n\nRecommendation:\n\nWe recommend that FMS management remove access to all information systems within the timeframes\noutlined in the FMS Human Resources Division Standard Operating Procedure EXT-08-01: Employee Exit\nClearance and the FMS IT Security Standards Manual.\n\nManagement Response: Concur\n\nNFR Number GWC-IT-2008-01 identifies three (3) former FMS employees that did not have their system\naccess removed in a timely manner. One employee cited was processed through the old exit clearance\nprocess prior to new procedures being implemented in March 2008. The circumstances surrounding the\nseparations of the other two employees were complicated and unique. FMS continues to ensure that access\nto all information systems is removed in a timely manner as detailed below:\n\n\xe2\x80\xa2   Compliance with the revised Exit Clearance SOP is being monitored on a weekly basis by the\n    Manager, HR Operations and Systems Branch (HROSB) and the Deputy Director, Human Resources\n    Division. The HROSB Manager is providing weekly reports to the Deputy Director summarizing all\n    separations (FMS-wide) entered into the Exit Clearance System. The summary includes: a list of all\n    separating employees, effective date of the separation, date the separation was entered into the Exit\n    Clearance System, and the name of the HR Specialist (or Assistant) that entered the separation into the\n    Exit Clearance System.\n                                                    4\n\x0c                                                                                               Exhibit I\n\n                                    Financial Management Service\n                                  Non-Entity Government-wide Cash\n\n                           Current Year Comments and Recommendations\n\n                                          September 30, 2008\n\n\n\xe2\x80\xa2   The HR Systems and Processing Team Leader is also monitoring personnel actions as they are being\n    processed to ensure the Servicing HR Specialist is entering a corresponding action into the Exit\n    Clearance System timely.\n\xe2\x80\xa2   As a further \xe2\x80\x9ccheck and balance,\xe2\x80\x9d a member of the HR Systems and Processing Team runs daily\n    reports of all pending and processed actions in HR Connect to verify that a corresponding request has\n    been entered into the Exit Clearance System for every separation.\n\nTo underscore FMS\xe2\x80\x99 commitment to addressing this finding, the Deputy HR Director will provide a\nweekly report to the Assistant Commissioner (and CFO), Management detailing all pending FMS\nseparations and the date the separation was entered into the Exit Clearance system.\n\n\n5. Interconnection Security Agreements (ISA) Were Not in Place for Several CA$HLINK II System\n   Interconnections (Repeat Condition)\n\nIn FY 2008, FMS completed corrective actions to implement an MOU (Memorandum of Understanding)\nand/or ISA (Interconnection Security Agreement) for the CA$HLINK II application\xe2\x80\x99s external\nconnections. However, the MOU for the CA$HLINK II external connection to Commodity Credit\nCorporation (CCC) has expired and an MOU for the interconnection with the Fifth Third Bank is not in\nplace.\n\nThe Financial Management Service (FMS) Information Technology Standards Manual states, \xe2\x80\x9cFMS\xe2\x80\x99s\nInformation Services Directorate develops Memorandums of Understanding (MOUs) and Interconnection\nSecurity Agreements (ISAs) for all direct connections to the Enterprise System. MOUs and ISAs are valid\nfor three years from the date of the last signature on the document and are reviewed annually.\xe2\x80\x9d\n\nThe National Institute of Standard and Technology Special Publication 800-47 Security Guide for\nInterconnecting Information Technology Systems provides a management approach for interconnecting IT\nsystems, with an emphasis on security. The document recommends development of an Interconnection\nSecurity Agreement (ISA) and a Memorandum of Understanding (MOU). The ISA specifies the technical\nand security requirements of the interconnection and the MOU defines the responsibilities of the\nparticipating organizations.\n\n\n\n\n                                                    5\n\x0c                                                                                                Exhibit I\n\n                                    Financial Management Service\n                                  Non-Entity Government-wide Cash\n\n                           Current Year Comments and Recommendations\n\n                                          September 30, 2008\n\n\nFMS management is developing policies and procedures to identify interconnections and interfaces to\nexternal information systems, document each interface and interconnection in the system\xe2\x80\x99s security plan,\nand to develop an MOU and ISA for these interfaces and interconnections. This activity is being tracked as\na Plan of Action and Milestone by FMS management. However, the lack of an official record that\ndocuments interfaces with systems external to FMS could create inaccurate expectations, responsibilities\nand weak security protections between both parties in the connection.\n\nRecommendation:\n\nWe recommend that management continue to monitor the process to ensure that MOUs and ISAs are put in\nplace for all interconnections with the CA$HLINK II application, including the Fifth Third Bank.\n\nManagement Response: Partially Concurs\n\nFMS notified our point of contact (POC) at the Commodity Credit Corporation (CCC) that our MOU and\nISA were expiring. We provided updated templates for their review and signature. Shortly thereafter, CCC\nnotified FMS that the CCC POC had passed away, thereby causing a delay in executing the agreements.\nAnother individual assumed the responsibility of putting the agreements through the review process at\nCCC. After several e-mails to check on the status, CCC has notified FMS that the agreements have been\ncompleted and are ready for signature. FMS has done due diligence in making sure the agreements are\nexecuted but ultimately cannot control the other party to the agreement. Although we recognize the\nagreement was not signed by September 30, 2008, we do not agree that this issue should be a finding for\nFMS. Our process is solid and successful for the portion within our control.\n\nPNC Bank has been working with Fifth-Third Bank on an MOU and an ISA for a connection for another\nFMS application, unrelated to Ca$hlink II. This caused confusion at PNC Bank on the status of the\nagreement required for Ca$hlink II. The confusion has been resolved and the agreement is now signed.\n\n\n\n\n                                                    6\n\x0c'